CVE-2024-42115 in Linux
Summary
by MITRE • 07/30/2024
In the Linux kernel, the following vulnerability has been resolved:
jffs2: Fix potential illegal address access in jffs2_free_inode
During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
[ 2430.649622] Mem abort info:
[ 2430.649829] ESR = 0x96000004
[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits
[ 2430.650564] SET = 0, FnV = 0
[ 2430.650795] EA = 0, S1PTW = 0
[ 2430.651032] FSC = 0x04: level 0 translation fault
[ 2430.651446] Data abort info:
[ 2430.651683] ISV = 0, ISS = 0x00000004
[ 2430.652001] CM = 0, WnR = 0
[ 2430.652558] [0069696969696948] address between user and kernel address ranges
[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
[ 2430.655008] Hardware name: linux,dummy-virt (DT)
[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 2430.656142] pc : kfree+0x78/0x348
[ 2430.656630] lr : jffs2_free_inode+0x24/0x48
[ 2430.657051] sp : ffff800009eebd10
[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
[ 2430.664217] Call trace:
[ 2430.664528] kfree+0x78/0x348
[ 2430.664855] jffs2_free_inode+0x24/0x48
[ 2430.665233] i_callback+0x24/0x50
[ 2430.665528] rcu_do_batch+0x1ac/0x448
[ 2430.665892] rcu_core+0x28c/0x3c8
[ 2430.666151] rcu_core_si+0x18/0x28
[ 2430.666473] __do_softirq+0x138/0x3cc
[ 2430.666781] irq_exit+0xf0/0x110
[ 2430.667065] handle_domain_irq+0x6c/0x98
[ 2430.667447] gic_handle_irq+0xac/0xe8
[ 2430.667739] call_on_irq_stack+0x28/0x54
The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info.
The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code.
Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability identified as CVE-2024-42115 affects the Linux kernel's jffs2 file system implementation and represents a critical memory safety issue that can lead to kernel oops and potential system instability. This flaw manifests during stress testing conditions where improper memory handling results in illegal address access attempts. The kernel panic occurs when the jffs2_free_inode function attempts to free memory at virtual address 0x0069696969696948, which falls within the user-kernel address space boundary, indicating a clear violation of memory management principles. The error trace shows that kfree() is called with a parameter value of 0x5a5a5a5a, a pattern commonly used in memory testing to identify uninitialized memory regions, suggesting that memory was not properly initialized before use.
The root cause of this vulnerability stems from improper initialization sequence within the jffs2 file system implementation. During inode creation, the function jffs2_i_init_once properly initializes the sem member of the jffs_inode_info structure, but other members remain uninitialized. The jffs2_init_inode_info function, which should initialize all members, is called after iget_locked, but in high-concurrency scenarios, iget_locked may trigger the destroy_inode process before initialization completes. This race condition occurs because the destroy_inode functionality only releases the target field of the inode structure, leaving other members in an uninitialized state. The memory corruption results in the kernel attempting to free invalid memory addresses, leading to the kernel paging request failure and subsequent system crash.
This vulnerability aligns with CWE-457: Use of Uninitialized Variable and CWE-121: Stack-based Buffer Overflow, both of which are fundamental memory safety issues that can lead to arbitrary code execution or system crashes. The issue demonstrates a classic case of improper resource management where memory allocated for inode structures is not properly initialized before use, creating a potential attack surface for privilege escalation or denial of service attacks. The ATT&CK framework categorizes this under T1499.004: Endpoint Denial of Service, as the vulnerability can be exploited to cause system instability through kernel memory corruption.
The fix implemented addresses the core initialization problem by setting the target member to NULL within the jffs2_i_init_once function. This ensures that even if race conditions occur during concurrent inode creation, the target field will not contain garbage values that could cause memory corruption during cleanup operations. The mitigation strategy effectively prevents the kernel from attempting to free uninitialized memory addresses, thereby eliminating the potential for kernel oops and system crashes. System administrators should update to kernel versions containing this fix and monitor for potential performance impacts related to the additional initialization overhead, particularly in high-concurrency environments where jffs2 file system operations are frequent.